Privacy Policy

FROMTRIBE OÜ — PRIVACY POLICY

Effective Date: 15 October 2025

This Privacy Policy explains how Fromtribe OÜ (“From Tribe”, “we”, “our”, “us”) collects, uses, discloses, and protects personal data in connection with its online marketplace, vendor platform, and related services (“Platform”).


We handle all personal data transparently and in accordance with the EU General Data Protection Regulation (GDPR) and the Estonian Personal Data Protection Act.

1. Data Controller

Fromtribe OÜ
Registry no.: 17336307
Address: Lootsa tn 5, 11415 Tallinn, Estonia
Email: contact@fromtribe.com

From Tribe acts as the data controller for data processed through the Platform. Other parties may act as independent or joint controllers:

  1. Vendors – independent controllers for customer data received for order fulfilment.

Vendors may contact us at contact@fromtribe.com for GDPR compliance guidance.

  1. Stripe Payments Europe Ltd – independent controller for payment information.

2. Categories of Data We Collect

  1. Account Data – name, email, company details, address, phone number, login credentials.
  2. Transaction Data – orders, delivery address, payment status, communication.
  3. Communication Data – messages via forms, chat, or vendor dashboard.
  4. Technical Data – IP address, browser, device ID, cookies, logs.
  5. Marketing & Analytics Data – newsletter engagement, campaign response, behavioural metrics.

See Section 3 for how and why we use this data.

3. Purpose and Lawful Basis of Processing

The law requires us to explain why we are allowed to use your personal data. When we refer to “Art. 6(1)(a–f),” we mean the legal grounds under Article 6 of the EU General Data Protection Regulation (“GDPR”). In summary:

  1. Consent – your explicit permission for specific data uses.
  2. Contract – necessary to deliver services or perform our agreement with you.
  3. Legal Obligation – required to comply with laws or tax regulations.
  4. Legitimate Interest – used to operate, secure, and improve the Platform without overriding your rights.
  5. The table below shows how these bases apply to each activity.

 

Purpose

Lawful Basis

Examples

Account setup & management

Art. 6(1)(b) – contract

User registration, vendor onboarding

Order processing & fulfilment

Art. 6(1)(b) – contract

Confirmations, shipping updates

Payments via Stripe

Art. 6(1)(b),(f)

Secure payment handling, fraud prevention

Customer support

Art. 6(1)(b)

Service communication

Marketing & newsletters

Art. 6(1)(a) – consent

Promotional emails, campaigns

Platform analytics & UX improvement

Art. 6(1)(f) – legitimate interest

Aggregated usage analysis

Legal & tax compliance

Art. 6(1)(c) – legal obligation

Accounting, VAT reporting

Fraud & risk management

Art. 6(1)(f) – legitimate interest

Monitoring abuse

AI & predictive services

Art. 6(1)(f)/(a) – legitimate interest / consent

Training models, personalised recommendations

Market insight & data-driven services

Art. 6(1)(f) – legitimate interest

Aggregated trend and performance reports

AI & Predictive Services: We may process pseudonymised or aggregated transactional and behavioural data to develop and train algorithmic models that improve the Platform, personalise recommendations, forecast demand, and produce anonymised market insights. No legally binding decisions are made without human review. For personal profiling beyond legitimate interest, explicit consent is requested and can be withdrawn any time.

4. Data Sharing and Recipients

Personal data is shared only as necessary for lawful operations:

  1. Vendors – to fulfil orders and process returns.

     

  2. Stripe Connect – for secure payment processing.
  3. Service Providers – IT hosting, analytics, email and logistics partners under DPAs.
  4. Authorities – where legally required.
  5. Aggregated Data Use – shared only in anonymised form for market insight or research.

We never sell personally identifiable information.

5. Data Retention

Data Type

Retention Period

Account & transaction records

7 years after last activity (legal obligation)

Marketing consent data

Until withdrawn

Technical logs

6 months unless required for legal purposes

Aggregated / anonymised data

Indefinitely (non-personal)

 

6. International Transfers

Data is stored within the EEA. Transfers outside the EEA may occur to trusted partners in the United Kingdom, Switzerland, and Nordic regions using:

  1. EU adequacy decisions, or
  2. Standard Contractual Clauses plus supplementary safeguards.

All vendors and processors must apply GDPR-equivalent standards. If we use service providers or analytics tools located outside the European Economic Area (for example, in the United States), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and implement supplementary safeguards such as encryption and access controls to ensure your data remains protected to EU standards.

7. Data Subject Rights

You have the right to: access, rectify, erase, restrict, port, and object to processing; and withdraw marketing consent at any time. The right to data portability applies to data that you have provided to us under consent or contractual necessity.

 

Contact: contact@fromtribe.com. Responses within one month per GDPR.

8. Cookies and Tracking

Cookies support core functions (e.g., login, cart), analytics, and AI training. Non-essential cookies (e.g., marketing, analytics) load only after consent via the cookie banner. See our Cookie Policy at fromtribe.com/cookie-policy for details on cookie types, purposes, and management options. If the policy is not yet available, contact us at contact@fromtribe.com.

9. Data Security

We employ encryption, access controls, and secure servers. Payments are handled through Stripe, PCI DSS Level 1 certified.

10. Market Insights, Predictive Analytics & Investment Services

From Tribe uses aggregated or anonymized data from platform transactions, sales, and vendor activity to improve the Platform and support growth. Examples of such uses include, but are not limited to:

  1. Analyzing sales trends (e.g., “30% of sales are handmade jewelry”).
  2. Forecasting demand to optimize platform features.
  3. Supporting partnerships or investment evaluations.

 

These analytics are fully anonymized and do not identify any vendor or person. For uses that may identify vendors, such as rankings (e.g., “Top 10 Brands”) or AI-driven brand recommendations (e.g., “Explore [Brand]”), vendors are included to boost visibility unless they opt out via the dashboard at fromtribe.com/settings or by emailing contact@fromtribe.com. This processing is based on our legitimate interest (GDPR Art. 6(1)(f)) to build a data-driven marketplace, while respecting your rights.

 

10.1 Each party shall notify the other within 72 hours of becoming aware of a personal-data breach that may risk individuals’ rights, including:

  1. the breach’s nature, categories, and number of affected data subjects or records;
  2. its likely consequences; and
  3. measures taken or planned to address it.

 

10.2 Both parties shall work together to investigate and resolve any data breach. Vendors must provide requested breach details in writing within 48 hours of From Tribe’s request to meet GDPR deadlines.

11. Automated Decision-Making

From Tribe does not engage in fully automated decision-making that produces legal or significant effects within Article 22 GDPR. AI tools assist but never replace human judgment. 

You may request manual review or opt out of AI-based personalisation at any time.

12. Changes to This Policy

We may update this Policy periodically. Material changes will be notified by email or dashboard notice. Continued use after updates constitutes acceptance.

13. Contact and Complaints

Fromtribe OÜ
Lootsa tn 5, 11415 Tallinn, Estonia
Email: contact@fromtribe.com

 

Complaints may be lodged with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn, Estonia, info@aki.ee, www.aki.ee) or your local EU supervisory authority.